use of org.keycloak.models.OAuth2DeviceUserCodeModel in project keycloak by keycloak.
the class DeviceEndpoint method handleDeviceRequest.
/**
* Handles device authorization requests.
*
* @return the device authorization response.
*/
@Path("")
@POST
@Consumes(MediaType.APPLICATION_FORM_URLENCODED)
@Produces(MediaType.APPLICATION_JSON)
public Response handleDeviceRequest() {
cors = Cors.add(request).auth().allowedMethods("POST").auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS);
logger.trace("Processing @POST request");
event.event(EventType.OAUTH2_DEVICE_AUTH);
checkSsl();
checkRealm();
ClientModel client = authenticateClient();
AuthorizationEndpointRequest request = AuthorizationEndpointRequestParserProcessor.parseRequest(event, session, client, httpRequest.getDecodedFormParameters());
if (!TokenUtil.isOIDCRequest(request.getScope())) {
ServicesLogger.LOGGER.oidcScopeMissing();
}
// So back button doesn't work
CacheControlUtil.noBackButtonCacheControlHeader();
if (!realm.getOAuth2DeviceConfig().isOAuth2DeviceAuthorizationGrantEnabled(client)) {
event.error(Errors.NOT_ALLOWED);
throw new ErrorResponseException(OAuthErrorException.INVALID_GRANT, "Client not allowed for OAuth 2.0 Device Authorization Grant", Response.Status.BAD_REQUEST);
}
// https://tools.ietf.org/html/rfc7636#section-4
AuthorizationEndpointChecker checker = new AuthorizationEndpointChecker().event(event).client(client).request(request);
try {
checker.checkPKCEParams();
} catch (AuthorizationEndpointChecker.AuthorizationCheckException ex) {
throw new ErrorResponseException(ex.getError(), ex.getErrorDescription(), Response.Status.BAD_REQUEST);
}
try {
session.clientPolicy().triggerOnEvent(new DeviceAuthorizationRequestContext(request, httpRequest.getDecodedFormParameters()));
} catch (ClientPolicyException cpe) {
throw new ErrorResponseException(cpe.getError(), cpe.getErrorDetail(), Response.Status.BAD_REQUEST);
}
int expiresIn = realm.getOAuth2DeviceConfig().getLifespan(client);
int interval = realm.getOAuth2DeviceConfig().getPoolingInterval(client);
OAuth2DeviceCodeModel deviceCode = OAuth2DeviceCodeModel.create(realm, client, Base64Url.encode(SecretGenerator.getInstance().randomBytes()), request.getScope(), request.getNonce(), expiresIn, interval, null, null, request.getAdditionalReqParams(), request.getCodeChallenge(), request.getCodeChallengeMethod());
OAuth2DeviceUserCodeProvider userCodeProvider = session.getProvider(OAuth2DeviceUserCodeProvider.class);
String secret = userCodeProvider.generate();
OAuth2DeviceUserCodeModel userCode = new OAuth2DeviceUserCodeModel(realm, deviceCode.getDeviceCode(), secret);
// To inform "expired_token" to the client, the lifespan of the cache provider is longer than device code
int lifespanSeconds = expiresIn + interval + 10;
OAuth2DeviceTokenStoreProvider store = session.getProvider(OAuth2DeviceTokenStoreProvider.class);
store.put(deviceCode, userCode, lifespanSeconds);
try {
String deviceUrl = DeviceGrantType.oauth2DeviceVerificationUrl(session.getContext().getUri()).build(realm.getName()).toString();
OAuth2DeviceAuthorizationResponse response = new OAuth2DeviceAuthorizationResponse();
response.setDeviceCode(deviceCode.getDeviceCode());
response.setUserCode(userCodeProvider.display(secret));
response.setExpiresIn(expiresIn);
response.setInterval(interval);
response.setVerificationUri(deviceUrl);
response.setVerificationUriComplete(deviceUrl + "?user_code=" + response.getUserCode());
return cors.builder(Response.ok(JsonSerialization.writeValueAsBytes(response)).type(MediaType.APPLICATION_JSON_TYPE)).build();
} catch (Exception e) {
throw new RuntimeException("Error creating OAuth 2.0 Device Authorization Response.", e);
}
}
use of org.keycloak.models.OAuth2DeviceUserCodeModel in project keycloak by keycloak.
the class InfinispanOAuth2DeviceTokenStoreProvider method findDeviceCodeByUserCode.
private OAuth2DeviceCodeModel findDeviceCodeByUserCode(RealmModel realm, String userCode) throws HotRodClientException {
BasicCache<String, ActionTokenValueEntity> cache = codeCache.get();
String userCodeKey = OAuth2DeviceUserCodeModel.createKey(realm, userCode);
ActionTokenValueEntity existing = cache.get(userCodeKey);
if (existing == null) {
return null;
}
OAuth2DeviceUserCodeModel data = OAuth2DeviceUserCodeModel.fromCache(realm, userCode, existing.getNotes());
String deviceCode = data.getDeviceCode();
String deviceCodeKey = OAuth2DeviceCodeModel.createKey(deviceCode);
ActionTokenValueEntity existingDeviceCode = cache.get(deviceCodeKey);
if (existingDeviceCode == null) {
return null;
}
return OAuth2DeviceCodeModel.fromCache(realm, deviceCode, existingDeviceCode.getNotes());
}
use of org.keycloak.models.OAuth2DeviceUserCodeModel in project keycloak by keycloak.
the class BackchannelAuthenticationEndpoint method storeAuthenticationRequest.
/**
* TODO: Leverage the device code storage for tracking authentication requests. Not sure if we need a specific storage,
* but probably make the {@link OAuth2DeviceTokenStoreProvider} more generic for ciba, device, or any other use case
* that relies on cross-references for unsolicited user authentication requests from devices.
*/
private void storeAuthenticationRequest(CIBAAuthenticationRequest request, CibaConfig cibaConfig, String authReqId) {
ClientModel client = request.getClient();
int expiresIn = cibaConfig.getExpiresIn();
int poolingInterval = cibaConfig.getPoolingInterval();
String cibaMode = cibaConfig.getBackchannelTokenDeliveryMode(client);
// Set authReqId just for the ping mode as it is relatively big and not necessarily needed in the infinispan cache for the "poll" mode
if (!CibaConfig.CIBA_PING_MODE.equals(cibaMode)) {
authReqId = null;
}
OAuth2DeviceCodeModel deviceCode = OAuth2DeviceCodeModel.create(realm, client, request.getId(), request.getScope(), null, expiresIn, poolingInterval, request.getClientNotificationToken(), authReqId, Collections.emptyMap(), null, null);
String authResultId = request.getAuthResultId();
OAuth2DeviceUserCodeModel userCode = new OAuth2DeviceUserCodeModel(realm, deviceCode.getDeviceCode(), authResultId);
// To inform "expired_token" to the client, the lifespan of the cache provider is longer than device code
int lifespanSeconds = expiresIn + poolingInterval + 10;
OAuth2DeviceTokenStoreProvider store = session.getProvider(OAuth2DeviceTokenStoreProvider.class);
store.put(deviceCode, userCode, lifespanSeconds);
}
Aggregations